1 / 34

Authorization and Authentication Infrastructure

Authorization and Authentication Infrastructure. Daan Broeder & Dieter Van Uytvanck Max Planck Institute for Psycholinguistics Firstname.lastname @ mpi.nl CLARIN-NL Info Session Nijmegen 2009-07-01. Overview. CLARIN and the holy grail Traditional Federations AAI prototype Planning.

linh
Télécharger la présentation

Authorization and Authentication Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authorization and Authentication Infrastructure Daan Broeder & Dieter Van Uytvanck Max Planck Institute for Psycholinguistics Firstname.lastname@mpi.nl CLARIN-NL Info Session Nijmegen 2009-07-01

  2. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Overview • CLARIN and the holy grail • Traditional Federations • AAI prototype • Planning

  3. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu CLARIN and the Holy Grail (1) • A researcher authenticates at his/her own organization and creates a “virtual” collection of resources from different repositories.

  4. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu CLARIN and the Holy Grail (2) • browsing a catalogue, searching through metadata, or searching in resource content. • workflow specification tool to process this virtual collection with possibly a mix of home grown and remote service components. • Resulting data can be added to the origin repositories (with “virtual” collection) • For our domain this is very ambitious and challenging, but even a partial realization is worthwhile!

  5. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Traditional Federations (1) From a local user store to a traditional federation… Local External Federation DB DB SP IDP LDAP LDAP LDAP SP SP IDP SAML (HTTP) HTTP HTTP HTTP B HTTP B B

  6. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Traditional Federations (2) IdP SP IdP SP IdP SP

  7. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu CLARIN AAI prototype (1) (Identity) Federation IDP SP IDP SP IDP SP IDP SP IDP SP IDP SP

  8. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu CLARIN AAI Prototype (2) • 7 Service Providers: • INL, Meertens Instituut, MPI • IDS, DFKI, BBAW • CSC / U Helsinki • 3 national Identity Federations: • SurfFederatie (NL) • DFN (DE) • HAKA (FI)

  9. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu AAI prototype agreements • Two options: • One SP signs on behalf of all participating SPs (1xN, preferred) • Every SP signs a separate contract with each national Identity Federation (NxN, more fuss but feasible)

  10. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Planning • Before end 2009: prototype federation • WP7: contractual issues • WP2: technical aspects • Keep good contacts with GEANT3/TERENA/eduGAIN • Talks with CSC about implementing a common code of conduct service

  11. Thank you for your attention CLARIN has received funding fromthe European Community's Seventh Framework Programmeunder grant agreement n° 212230

  12. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Backup slides

  13. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu References • http://www.terena.org/activities/tf-emc2/meetings/12/slides/eduGAINstatus.pdf • http://www2.surfnet.nl/bijeenkomsten/rd2008/sheets/zandbelt.ppt • http://www.clarin.eu/events/aai-hands-on-workshop

  14. CLARIN SP Include MD about IdPs within national IdF DFN Metadata ? Metadata Metadata HAKA SWITCH system SurfFederatie Metadata SMTP Push SP metadata to national IdF via protocol as chosen by the specific IdF

  15. With eduGAIN 2.0 CLARIN SP Include MD about national IdPs in SP MD DFN Metadata eduGAIN Metadata hub Metadata HAKA Metadata SurfFederatie Metadata

  16. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Beyond the Traditional Federations:SPO IDP SP IDP SP IDP SP Service Provider Federation/ Organization IDP SP IDP SP IDP SP

  17. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu AAI Issues & Challenges (1) • CLARIN is not an IdF • Our intended clientele is too wide spread • No special IdP configuration can be expected • So, only a SP organization relying on national IdFs • What forms the SP organization (wrt. AAI)? • LRT Community • Standard contracts with the (national) IdFs • Common set of CCs / licenses • Attribute requirements • Shallow versus deep federation • SPs specify auditing level • No penalties

  18. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu AAI Issues & Challenges (2) • Attribute harmonization • eduGAIN solves it all? • WAYF (& WFAYF) • AAI software • Shibboleth and SimpelSamlPhp • Is there more needed? • Guest accounts for the homeless

  19. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu AAI Issues & Challenges (3) • SSO for client applications • E.g. downloading distributed virtual collections • SSO for web services • Deal with workflows chaining web services from different providers • SSO when dealing with CCs, 3 options: • Leave it to the SP • User attribute (~ IdP) • Separate service, external attribute authorities. • Use of GRID resources • Data GRID & Compute GRID

  20. eduGAIN confederation Connect national AAI on a pan-European level GEANT (2,3) workgroup: TF-EMC2 CLARIN: excellent use case! CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu

  21. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu • CLARIN wants to be a LR&T “service federation” • simplified and unified rules for licensing, accessing • agreements with national identity federations • must make sure all necessary attributes are available • cater also for A&A • of non-web applications • and web services • interaction with GRID AAI CLARIN Federation Infrastructure eJournal Service Providers Trust Agreements national Identity Federations Trust Agreement LRT Service Providers

  22. DAM-LR EU project (1) CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Small EU project (2005-2007) on archive integration of 4 partners • corpus/computational linguistics and endangered language documentation • Resource discovery: sharing a single metadata set for searching & browsing • Authentication & Authorization: single user identity, single sign-on by using Shibboleth. • Referencing and citing “archived resources” using a single persistent identifier system.

  23. DAM-LR EU project (2) Experiences: Standard eduPerson attribute set is probably sufficient, (but CCs …) Shibboleth is nice when using web applications, but applications need access too! Shibboleth efficient when dealing with groups e.g. staff, student, … But our domain has also to deal with individuals => store user IDs in authorization records DAM-LR federation of both IdPs & SPs, CLARIN aims at a much larger potential user group whose home organizations do not want to run a CLARIN specific IdP => use the national IDFs CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu

  24. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Applications need Authentication too The application speaks only HTTP with basic authentication It does not understand form based authentication employed by the Shib. IdP Shib. apache Shib. apache archiveB archiveA IMDI copier The application is also not able to profit from the SSO over archives user application IdP Possible solution: Use certificates for authentication Obtained by SLCS (But can auth. handshake be mimicked by software?) User scenario: Copying resources from different repositories to the local machine

  25. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Searching through annotations Content search in one archive: no problem (check single DB) Auth DB Search service IdP DB/SE CHAT Shoebox EAF MPI Archive Parsers “normalize” the structural format

  26. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Searching through annotations IdP AuthN Federative search scenario AuthZ DB AuthZ DB Specialized web portal Search service Search service DB/SE DB/SE CHAT Shoebox CHAT EAF MPI Archive Archive B Parsers “normalize” the structural format The web portal app would like to act on behalf of the user and access the search services.

  27. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu What do we aim for? • blah-blah • blah-blah • blah-blah • blah-blah • blah-blah

  28. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Licenses & Code of conducts 1 SP requires CC signed and takes care of this but only for its own domain This can break the SSO if the user is required to sign the same CC several times CC DB SPa CC DB SPb browser user IdP CLARIN will harmonize the CCs and licenses to a limited number

  29. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Licenses & Code of conducts 2 SPa SPb browser user • Store the CC DB info in the user attributes at the IdP (cfr Switch aaiUapprove) • But how does it get there? • Special app? • Not every IdP will/can run this IdP CC DB

  30. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu Licenses & Code of conducts 3 SPa SPb browser CC service user CC DB IdP Create special CC service. This is part of the SPF independent of the IDFs

  31. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu What do we aim for? • blah-blah • blah-blah • blah-blah • blah-blah • blah-blah

  32. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu AAI Planning (1) • Training courses for AAI: support of SimplSAMLPhp, Shibboleth

  33. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu AAI Planning (2) • Centers should make their policies explicit: • Integration of SP with AAI • IdP support for their users • Is there potential for a “fire brigade”? • Help with configuration & integration • MPG (RZG) does something there, who else? • Contracts with national IdFs (WP7) • What role has eduGAIN?

  34. CLARIN-NL Info Session Nijmegen 2009-07-01 www.clarin.eu What‘s next? • SLCS with SURFnet (preliminary research) • Direct interaction with GEANT 3 (May 5/6) • Talks with CSC about implementing a CC service

More Related